[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Security quote of the week

[Posted June 11, 2014 by jake]

At no point have I been contacted with warrants of any kind, or any similar instrument, or in any way, from governmental or non-governmental entities, about inclusion of any kind of malware or backdoor in Fedora's signed secure boot binaries, including shim, grub2, the kernel, and pesign, nor have I at any time been approached about disclosure of our signing keys. I am also not aware of anyone else involved in our signing that has been contacted with warrants of any kind, or any similar instrument, or in any way, from governmental or non-governmental entities, about inclusion of any kind of malware or backdoor in Fedora's signed secure boot binaries, including shim, grub2, the kernel, and pesign, nor have I at any time been approached about disclosure of our signing keys.
Peter Jones writes the first in a series of "canaries" (more info)
to post comments

Security quote of the week

Posted Jun 12, 2014 9:57 UTC (Thu) by DOT (subscriber, #58786) [Link] (6 responses)

I wonder how much use such a statement is. Presumably, the logic behind this is that if such a statement disappears, we have a backdoor. But if someone can be coerced to put a backdoor in a program, surely they can be coerced to lie about it?

Security quote of the week

Posted Jun 12, 2014 12:14 UTC (Thu) by madscientist (subscriber, #16861) [Link] (5 responses)

I think the idea is that when government agencies come around "requesting" backdoor access, they also arrive bearing court orders that require you to not tell anyone that they "requested" backdoor access.

I'm not sure anyone has ever heard of a court order that required you to affirmatively _lie_ and say that you have NOT received such a request when you had. I have a feeling that, at least in the USA, such a thing would not be constitutional. It's one thing to keep you from disclosing something for (purported) national security reasons. It's quite another to force you to disclose things that aren't true.

Security quote of the week

Posted Jun 12, 2014 13:10 UTC (Thu) by DOT (subscriber, #58786) [Link] (4 responses)

It seems these matters haven't been tested in court. (Or maybe they have been and it was kept secret.) In any case, they could just pose as you and then forbid you from disclosing that fact, or pay you a lot of money to lie. Bottom line is that you can't trust these messages.

Security quote of the week

Posted Jun 12, 2014 14:57 UTC (Thu) by mrshiny (guest, #4266) [Link]

You can't fully trust the existence of such a message. But you could probably trust its disappearance.

Security quote of the week

Posted Jun 12, 2014 15:41 UTC (Thu) by mathstuf (subscriber, #69389) [Link] (2 responses)

I think that there are laws stating that you cannot be compelled to lie whereas they can tell you that you can't tell the truth. Basically if they do so, they are causing entrapment of perjury if things come up in court. Really, they'd probably just force you to play the "national security" card on the stand. Or you plead the fifth.

Security quote of the week

Posted Jun 12, 2014 16:29 UTC (Thu) by rgmoore (✭ supporter ✭, #75) [Link]

They would only be suborning perjury if the statement were made under oath. If it's a completely voluntary statement not made under oath, there's no legal penalty for lying and the government might be able to compel you to lie for national security reasons. But filings with the SEC are made under oath, so they're an ideal place for this kind of canary statement. ISTR that some companies have started including them in their SEC filings because they don't think the courts can or will force them to lie under oath.

Security quote of the week

Posted Jun 12, 2014 17:35 UTC (Thu) by dsmouse (guest, #14180) [Link]

If he is representing a product, and lies about the product, it would be fraud.

Security quote of the week

Posted Jun 19, 2014 4:38 UTC (Thu) by cypherpunks (guest, #1288) [Link] (1 responses)

Whoah.

Does this mean that he is aware of someone else involved in
their signing that has been approached about disclosure of
the signing keys for both Fedora and RHEL?

Because in the space where this denial should logically go,
instead of saying that for both Fedora and RHEL, he repeats
an earlier claim that he has not been approached about
disclosure of their signing keys.

Or it could just be a copy and paste error.

Security quote of the week

Posted Jun 21, 2014 0:26 UTC (Sat) by jimparis (guest, #38647) [Link]

Yeah, if you're going to be really paranoid there are a number of holes you can pick out of his text. Maybe they're on purpose, but of course there's no way to know for sure.

One interesting test would be for anyone in the world to send him an e-mail simply asking for their signing keys. Then see if the following statement correctly disappears from his next canary:
> nor have I at any time been approached about disclosure of our signing keys


Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds